Comments on E.ONs experiences with implementing and evaluating the Section 404 requirements

E.ON started the groupwide implementation of the requirements of Section 404 SOA in autumn 2003. Our main experiences are the following:
1. The dimension of documentation both on process and control level was underestimated. To fulfill the requirements written guidelines, flow charts and other formal descriptions are necessary. As Section 404 does not give any precise details about the format and concrete contents of those documents there were a lot of uncertainties whether it is possible to use existing documents or to introduce a standardized documentation format.
2. Another big issue was the question of the process scoping. In our view it would be very helpful to have a certain guidance which processes resp. which internal controls have to be considered, e.g. by the official introduction of materiality limits which could reduce the scoping dimension significantly.
3. We saw very fast the necessity of an efficient IT-tool to realize the needed groupwide standardization and transparency. Because it was impossible to use an established IT-system we had to implement a completely new IT-tool which caused high costs and can be used more or less only for the purposes of Section 404.
4. The double testing on the one side from the management itself and on the other side from the external auditor is very time intensive and expensive. We would appreciate it if the external auditor could use more testing results when the internal audit department is carrying through the internal testing of effectiveness. That could reduce the dimension of the samples of the external auditors and so the corresponding expenses.